Phase One, please fix the site and the forum. When I login in my hotel room all the other hotel guests on the same wifi can see my username, password and personal account data.There's also no DNSSEC: people can do phishing attacks and can spoof the traffic by changing local DNS records, fooling any browser.

I know you're on Microsoft IIS and I only have the knowledge of the more popular NGINX webserver software (conforming and securing websites to standards is my speciality), but also with IIS it's possible. And it costs nothing, only some knowledge and some minutes of your time. And now certs are free too. Or, put the sites behind CloudFlare for the same effect.I also cannot reach your site from many IPs in India, because in India all the new network connections are IPv6 only and your domain name server records of ns2 and ns4 have only an IPv4 record. It only works 50% of the time.

Check https://en.internet.nl/site/www.phaseone.com/results and see: all red crosses.- An insufficient number of name servers (NS) come with an IPv6 address.- Not secured with DNSSEC. Your registrar (most often also your DNS operator) is: DYNAMIC NETWORK SERVICES, INC- HTTP compression supported (dangerous)- HSTS policy could not be found- certain cipher methods offered are not secure: IDEA-CBC-SHA, RC4-SHA, RC4-MD5, DES-CBC-SHA- client-initiated renegotiation allowed (dangerous)- no TLSA record found (DANE)

Anno 2016 it's very easy (at least with NGINX) to get a 100% score. And it's mandatory by law now since some months, to secure any login. Just let me know if you need any extra help. Thanks!

HansVanEijsden wrote:When I login in my hotel room all the other hotel guests on the same wifi can see my username, password and personal account data.

Yeah, but "all" the other guests can't, can they?

Not unless you're in the habit of staying at hotels populated entirely by particularly motivated hackers...

Can we keep at least some sense of proportion about the actual (not the theoretical) risks attached to "unsecured" websites, please?

Here in the Netherlands we have wifi in the trains (and trams). And most of the time it's possible to see all the other connected clients on the network. So, now a lot of students in the trains have network sniffing as a hobby. They have to travel many hours a day to school and back and are scanning with their laptops, just for fun to see what they can capture. Here in The Netherlands it became a real problem already.

digger1914 wrote:Wouldn't use of a VPN solve this? I always use one on any public wifi I access.

Yes, that's a good one. But that's not solving the problem at the source: it's only circumventing it a little bit. I don't know many people who use VPN or who know how to use it. And in the trains, all ports except IMAP/POP3, Submission, HTTP and HTTPS are blocked. And still, the VPN provider can also capture all the data. Fortunately the government here is doing campaigns now to make everybody upgrade their websites to HTTPS and to make it mandatory for websites which store user data.